Cyber Incident Victim: Sentiment

On April 4, 2023, the decentralized finance lending protocol Sentiment was exploited on the Arbitrum blockchain. The attack resulted in the loss of user funds from the protocol. Initial public estimates of the financial impact placed the losses at approximately $500,000. However, further investigation by community members analyzing the on-chain transactions later confirmed that the total value of the stolen funds was significantly higher, with losses assessed to be closer to $1 million. The technical nature of the attack was discussed by on-chain analysts, with some suggesting the method may have been a re-entry attack, while others attributed the exploit to an unspecified bug within the protocol's code.

In response to the incident, the team behind Sentiment initiated a direct negotiation with the attacker. This approach was executed through an on-chain transaction on the Arbitrum network, which contained a message for the hacker. The message presented a clear offer: if the hacker returned all of the stolen funds by April 6, 2023, they would receive a bounty payment of $95,000 for their cooperation. The message also urged the hacker to "do the right thing." The protocol's message included an alternative offer, stating that if the stolen funds were not returned, the $95,000 bounty would instead be offered to any individual who could provide information leading to the identification and prosecution of the attacker responsible for the exploit.

The negotiation strategy proved successful. The attacker chose to accept the bounty offer and returned the majority of the stolen capital. The progress of this recovery was publicly tracked by MetaMask lead developer Taylor Monahan, who highlighted the on-chain movements of the funds. The hacker returned 414 Ether, which at the time had a value of approximately $870,000. This recovery left the attacker with the agreed-upon bounty of $95,000 from the total amount that was taken. The incident concluded with the protocol successfully recovering a substantial portion of the assets that were compromised during the attack.

This event sparked commentary and discussion within the cryptocurrency community. Some observers drew parallels between the Sentiment incident and another major DeFi exploit that occurred around the same time involving Euler Finance. In that case, which also concluded on April 4, the Euler Finance protocol successfully negotiated for the return of approximately $176.4 million in digital assets after offering the hacker a bounty; the hacker retained nearly $20 million from the original exploit. The community reaction to the Sentiment negotiation was mixed. One perspective, voiced by a community member, framed the entire incident as a consequence of companies not taking formal bug bounty programs seriously enough, suggesting the hacker's actions were effectively a way of "taking it by force." A contrasting viewpoint described the event as essentially "a bug bounty with a criminal step" and used the occurrence to advocate for projects to establish larger and more transparent bug bounty programs to incentivize ethical disclosure of vulnerabilities before they can be exploited maliciously. The resolution of this incident demonstrated a growing trend of negotiated settlements between DeFi protocols and attackers as a method of fund recovery.